In this video I will explain concepts for the 70-410 Objective 5.3 of Creating and Managing Active Directory Groups and Organizational Units. Most people confuse Organizational Units or OUs and Active Directory Security Groups. They are both use for totally different reasons, but still share the same concept of organizing users and computers. OUs organize Users or Computer objects in AD so that we can Policy the objects with Group Policy. Groups organize user or computer account in AD so that we can administrate by role. This administration is in the form of securing resource with ACLs in which we allow the groups to either allow access or deny access in varying levels of access. We cover this first so that we can have a clear understanding of the differences between the two before we proceed.
We then proceed to understand the security on Organizational Units and how we can delegate an OU for admins to follow the principle of least permissions. In the example we can delegate an OU to an average user whom might be a manager, so that he or she can provide password reset for their employees. We could always give a higher level of permission than what is needed. However, that would not limit mistakes and abuse of privileges.
We then look at group types of Distribution and Security. Since Distribution is solely used for Exchange users we will not be discussing them and Distribution Groups are not an objective for the exam. Security Groups have several scopes, such as Machine Local Groups, Domain Local Groups, Global Groups and Universal Groups. Before discussing Group Scopes further we look at the basic purpose of groups to organize users together. We do this so that we can administrate by groups and not by individual users. The process is called Role Based Access Control.
We then focus on group scope types and begin with Machine Local Groups and which group types can be nested inside of them. Machine local groups have no availability outside of the local machine. Domain Local Groups can contain other Domain Local Groups, Global Groups and Universal groups in addition to User accounts or Computer accounts. The availability of a Domain Local Group for nesting under other Domain Local Groups is only for the Domain they are created in; they are “Local” to the domain. Global Groups can contain only other global groups in addition to User account and Computer accounts. They however are available outside of the domain for nesting in other Domain Local Groups, Machine Local Groups and Universal Groups. Universal Groups can contain Global Groups and other Universal groups in addition to User accounts and Computer accounts. They are available throughout the entire forest.
We then focus on nesting of groups to achieve administrative control for permissions. While allowing autonomous control by other admins. Such as allowing an administrator to secure a resource, while allowing the other administrator to organize their users by role. We use the process of AGDLP or AGUDLP. Which is simply adding users to global groups nesting global groups inside of domain local groups and securing permissions with the domain local group. A variation of that is adding users to global groups nesting global groups inside of universal group then nesting the universal group inside of domain local groups and securing permissions with the domain local group.
We briefly talk about creating groups with GUI and the Command line via the DS commands and PowerShell. We also talk about managing groups with Group Policy using Restricted Groups inside of GPO. Thus allowing a user to be a member of a machine local group or only allowing an absolute list of people to be members of the machine local group. Finally we learn about group conversion and how we can convert a domain local group to a global group and a global group to a domain local group. We also understand the rules behind these conversions.